Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-42484: TALOS-2022-1641 || Cisco Talos Intelligence Group

An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

CVE
#vulnerability#web#linux#cisco#intel#c++

SUMMARY

An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

FreshTomato 2022.5
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020
AdvancedTomato commit 67273b0

PRODUCT URLS

FreshTomato - https://www.freshtomato.org/ QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

CVSSv3 SCORE

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

DETAILS

FreshTomato is an open source firmware based on linux. The firmware offers several features for Broadcom-based routers.

The FreshTomato’s httpd component offers several APIs. One is called logs/view.cgi and is used to query/view the log files.

One of the functions responsible for performing this API is wo_viewlog:

void wo_viewlog(char *url)
{
    char *p;
    char *c;
    char s[128];
    char t[128];
    int n;
    char lfn[256];

    if (!logok())
        return;

    get_logfilename(lfn);
    if ((p = webcgi_get("find")) != NULL) {                                                             [1]
            send_header(200, NULL, mime_plain, 0);
            if (strlen(p) > 64)
                return;

            c = t;
            while (*p) {
                    switch (*p) {
                    case '<':
                    case '>':
                    case '|':
                    case '"':
                    case '\\':
                        *c++ = '\\';
                        *c++ = *p;
                        break;
                    default:
                        if (isprint(*p))
                            *c++ = *p;
                        break;
                    }
                    ++p;
            }
            *c = 0;
            snprintf(s, sizeof(s), "grep -ih \"%s\" $(ls -1rv %s %s.*)", t, lfn, lfn);                  [2]
            web_pipecmd(s, WOF_NONE);                                                                   [3]
            return;
    }

    if ((p = webcgi_get("which")) == NULL)
        return;

    if (strcmp(p, "all") == 0)
        n = MAX_LOG_LINES;
    else if ((n = atoi(p)) <= 0)
        return;

    send_header(200, NULL, mime_plain, 0);
    snprintf(s, sizeof(s), "cat $(ls -1rv %s %s.*) | tail -n %d", lfn, lfn, n);
    web_pipecmd(s, WOF_NONE);
}

This function will fetch, at [1], the find parameter. If it exists, eventually, the instruction at [2] will be executed. This instruction will compose the string grep -ih “<parsed find parameter>” $(ls -1rv <logfilename> <logfilename>.*), which will be used at [3] for the web_pipecmd function that will call the popen function and print out the results.

Because no real sanitization is performed against the find parameter, this function is vulnerable to a command injection vulnerability and can lead to arbitrary command execution.

TIMELINE

2022-10-19 - Vendor Disclosure

2022-11-08 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Related news

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907